To the Editor: The rapid evolution and widespread adoption of cloud computing, big data, and artificial intelligence have significantly accelerated the digital transformation of medical institutions. However, this progress has led to a rise in the incidence and costs of data breaches, with the average breach costing approximately $15 million in the USA.[1] Such breaches pose serious threats to national security and public welfare, underscoring the urgent need for robust data protection and compliance in healthcare. Despite the benefits of advanced information technology, hospitals face substantial challenges in ensuring data security and compliance. To address these challenges, we proposed a four-step solution for developing secure and compliant intelligent hospitals, providing a reference framework for data protection and compliance in the healthcare industry [Figure 1A].
Figure 1.
Summary of the work. (A) The four-step solution for data compliance management. The key elements in each step are listed. (B) Block-chain-based real-time data compliance monitoring system. This monitoring system simulates the data management life cycle within medical settings, ensuring timely review of data compliance practices, providing risk alerts accordingly, and offering robust assurance when data flows across different entities. The life cycle of data from data provider to data visitor is illustrated with associated data handling, and detailed explanations are provided in the Supplementary File, http://links.lww.com/CM9/C266. (C) An illustration of classic privacy computing-based medical research platform. The figure demonstrates the data supervision and integration process within a healthcare data management system, illustrating the flow and control of data from request submission to final data cleaning and integration. The process is divided into four main sections as follows: Data applicator, Central control, Data provider, and Quality control. Detailed explanations are provided in the Supplementary File, http://links.lww.com/CM9/C266. DCM: Data compliance management.
The first step is to conduct comprehensive data compliance risk assessment and develop the corresponding legal framework. Medical institutions need to identify and compile all relevant laws, regulations, and national standards [Supplementary Table 1, http://links.lww.com/CM9/C266]. Following this, they must assess existing compliance systems to identify vulnerabilities using the gathered information. Based on these insights, institutions should design and implement a data compliance management (DCM) system that includes data security measures, emergency planning, and risk assessment protocols.
The second step involves establishing an organizational structure and cultivating professional staffing, which are crucial for any service-oriented organization. To enhance the implementation of management plans and allocate sufficient manpower and resources, we advocate for the creation of a department of DCM with a three-tier management system: (1) Central coordination: The director of DCM is responsible for overarching policy decisions, ensuring alignment with legal requirements, and resource allocation. (2) Departmental coordination: This includes directors of each department, who are tasked with implementing policies, conducting risk assessments, and monitoring compliance at the departmental level. (3) Operational teams: These teams handle day-to-day data processing, ensuring adherence to protocols set by higher tiers. Their responsibilities include formulating and implementing institution-wide information security strategies; supervising and inspecting compliance with security management practices; regularly evaluating the security and availability of patient information; updating the business information system periodically; and conducting ongoing staff training, continuous education, and periodic certification.
The third step is to strengthen the management supervision and foster a culture of data compliance. Given that the data security encompasses the entire life cycle of data, stringent security supervision is critical. We advocate for the establishment of a specialized supervisory body to oversee the daily management and effective use of data. This body should fulfill the following functions: (1) exercise autonomous authority to monitor and address medical information security issues; (2) develop structured supervisory system, standardize inspection methodologies, and establish key performance indicators to enhance system operability; (3) define clear governance objectives and assessment criteria and regularly evaluate the implementation of safety rules and regulations; and (4) develop rapid response strategies to swiftly address instances of non-compliance or breaches.
Engaging independent third-party auditors adds an additional layer of scrutiny and transparency, helping to identify potential gaps overlooked by internal teams. Regular external assessments ensure that security measures and practices remain robust and aligned with evolving standards and regulations. Furthermore, embedding the importance of data compliance into the organizational culture is fundamental. Medical institutions are encouraged to strengthen personnel ethics through comprehensive training and certifications, regularly updating these programs to reflect current best practices and regulations. Routine assessments to gauge awareness of legal issues and ensure the compliant use of information systems should be conducted regularly.
The fourth step involves incorporating advanced techniques to achieve intellectualization and standardization of DCM. Embracing advanced technologies not only furthers the digitalization of the healthcare system but also helps resolve potential conflicts between technical implementation and legal compliance. Based on the past practice and legal considerations, we recommend integrating the following technical areas: 1. The office system should include DCM functions, encompassing the following three main modules [Supplementary Figure 1, http://links.lww.com/CM9/C266]: (1) a clearly delineated staffing structure; (2) integrated rules and regulations; (3) portal for external agencies and experts that facilitate interactions. 2. Patient authorization management platform [Supplementary Figure 2, http://links.lww.com/CM9/C266]. The platform should: (1) facilitate unified patient authorization across multiple medical information systems via a central authorization portal; (2) automatically update regulatory requirements and generate tailored patient consent forms to comply with current mandates; (3) issue risk warnings and timely alerts to prevent unauthorized data use or breaches; and (4) implement an enterprise master patient index to integrate patient information using a unique patient ID, ensuring the accuracy and integrity of personal information across various platforms. 3. Block-chain-based real-time data compliance monitoring system [Figure 1B and Supplementary Figure 3, http://links.lww.com/CM9/C266]. Block-chain technology ensures the accuracy, completeness, and timeliness of clinical trial data while facilitating the recording and deposition of compliance statuses.[2,3] This monitoring system leverages block-chain to provide comprehensive oversight of data compliance, thereby enhancing the reliability and security of medical data management. 4. Privacy computing-based medical research platform [Figure 1C and Supplementary Figure 4, http://links.lww.com/CM9/C266]. Privacy computing integrates cryptography, artificial intelligence, and secure hardware, focusing on the following three main areas: multi-party computation, federated learning, and trusted execution environments.[4] This approach encrypts data and operates within a secure computing environment, ensuring the safety of medical data sharing, even in multi-center studies. 5. Medical data analysis and processing system. This system scans various datasets, classifies, analyzes, and utilizes data according to its security level. For user-authorized information, it works with the authorization platform to ensure proper handling. To achieve these objectives, the system should be equipped with: (1) compliance processing templates for different data types; (2) the ability to intelligently scan, evaluate, classify, and desensitize data automatically; and (3) automatic selection of processing approaches based on the specific purposes of data handling.
“Internet healthcare” offers significant benefits to individuals and healthcare organizations by reducing costs, enhancing speed and flexibility, and facilitating communication.[5] However, these advancements also introduce substantial security risks. To address these multifaceted data security challenges, we propose a four-step solution that encompasses legal and technical aspects while emphasizing the importance of management supervision and culture cultivation. This framework aims to provide a concise yet comprehensive approach to practice data compliance in medical settings.
Funding
This study was supported by grants from the National Key R&D Program of China (Nos. 2024YFF0507404 and 2022YFC3602002), National High Level Hospital Clinical Research Funding (No. 2022-NHLHCRF-LX-02-03), and The Supply of High-quality Data Sets (No. 2024-13).
Supplementary Material
Footnotes
How to cite this article: Song XJ, Liu X, Yang XL, Si CZ, Zuo XB, He JJ, Cui Y. Strategizing data compliance in intelligent healthcare: A four-step solution. Chin Med J 2025;138:1254–1256. doi: 10.1097/CM9.0000000000003434
References
- 1.Seh AH Zarour M Alenezi M Sarkar AK Agrawal A Kumar R, et al. Healthcare data breaches: Insights and implications. Healthcare (Basel) 2020;8:133. doi: 10.3390/healthcare8020133. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 2.Al-Khazaali A, Kurnaz S. Study of integration of block chain and Internet of Things (IoT): An opportunity, challenges, and applications as medical sector and healthcare. Appl Nanosci 2023;13:1531–1537. doi: 10.1007/s13204-021-02070-5. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 3.Ng WY Tan TE Movva P Fang A Yeo KK Ho D, et al. Blockchain applications in health care for COVID-19 and beyond: A systematic review. Lancet Digit Health 2021;3:e819–e829. doi: 10.1016/S2589-7500(21)00210-7. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 4.Gu X, Sabrina F, Fan Z, Sohail S. A review of privacy enhancement methods for federated learning in healthcare systems. Int J Environ Res Public Health 2023;20:6539. doi: 10.3390/ijerph20156539. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 5.Shilo S, Rossman H, Segal E. Axes of a revolution: Challenges and promises of big data in healthcare. Nat Med 2020;26:29–38. doi: 10.1038/s41591-019-0727-5. [DOI] [PubMed] [Google Scholar]
Associated Data
This section collects any data citations, data availability statements, or supplementary materials included in this article.